Norfolk Constabulary has made the decision to formally close its investigation into the hacking of online data from the Climate Research Centre (CRU) at the University of East Anglia (UEA) in Norwich.

The decision follows a comprehensive investigation by the force’s Major Investigation Team, supported by a number of national specialist services, and is informed by a statutory deadline on criminal proceedings.

While no criminal proceedings will be instigated, the investigation has concluded that the data breach was the result of a ‘sophisticated and carefully orchestrated attack on the CRU’s data files, carried out remotely via the internet’.

Senior Investigating Officer, Detective Chief Superintendant Julian Gregory, said: “Despite detailed and comprehensive enquiries, supported by experts in this field, the complex nature of this investigation means that we do not have a realistic prospect of identifying the offender or offenders and launching criminal proceedings within the time constraints imposed by law.

“The international dimension of investigating the World Wide Web especially has proved extremely challenging.

“However, as a result of our enquiries, we can say that the data breach was the result of a sophisticated and carefully orchestrated attack on the CRU’s data files, carried out remotely via the internet. The offenders used methods common in unlawful internet activity to obstruct enquiries.

“There is no evidence to suggest that anyone working at or associated with the University of East Anglia was involved in the crime.”

The security breach was reported to Norfolk Constabulary on 20 November 2009, following publication of CRU data on the internet from 17 November onwards.

An investigation was launched by the joint Norfolk and Suffolk Major Investigation Team, led by Det Chief Supt Gregory, with some support from the The Met’s Counter Terrorism Command, the National Domestic Extremism Team and the Police Central e-crime Unit, along with consultants in online security and investigation.

The investigation, code-named Operation Cabin, focused on unauthorised access to computer material, an offence under the Computer Misuse Act 1990, which has a three year limit on proceedings from the commission of the original offence. It has been concluded by Norfolk Constabulary, in consultation with The Met, that due to outstanding enquiries this is now an unrealistic prospect.

Norfolk Assistant Chief Constable Charlie Hall, Protective Services lead, said: “Online crime is a global issue. While law enforcement agencies continue to develop our response to emerging threats, it falls upon individuals and organisations to be alert to this and and take steps to mitigate risk as far as is practicable.”

Reader Comments (101)

"the joint Norfolk and Suffolk Major Investigation Team, led by Det Chief Supt Gregory, with some support from the The Met’s Counter Terrorism Command, the National Domestic Extremism Team and the Police Central e-crime Unit, along with consultants in online security and investigation"

An impressive array of entities. I'm sure they'll do better next time. ;)

Oh, and we'd like to set up a rather large bureaucracy with a focus on cybercrime, um, outside of normal public scrutiny. We might add that we really didn't look very hard, because it might have caused some discomfort to the wonderful scientists at UEA and to those who participated in the various Inquiries undertaken by paid hacks. Like what did we expect from them? Jeez.....

"the joint Norfolk and Suffolk Major Investigation Team, led by Det Chief Supt Gregory, with some support from the The Met’s Counter Terrorism Command, the National Domestic Extremism Team and the Police Central e-crime Unit, along with consultants in online security and investigation"

That seems like a lot of man power and effort to investigate the leak of some emails from an academic institution. If I was a UK taxpayer, I'd ask what the justification was for this expense.

How is this even related to "Counter Terrorism" or "Domestic Extremism"?

They are effectively saying: It was a hacker. We can't prove it. But we know. We can't show you how we know. You can't see the evidence. We're not going to answer any questions. But it was a hack. Honest. Trust us, we're in charge.

There are so many dimensions to this, all of which stink so it is hard to know where to start.

Were it to be proved that it was an outside attack (I dont believe that for a minute) then when does "seeking the truth" become terrorism?When journalists reveal truth about politicians as in the expenses shambles, this is considered a good thing.When the hero of Climategate revealed the corruption at the UEA which is part of a multi billion pound scandal, it is terrorism??Did they really find nothing or are we merely seeing the politically correct explanation?

I find it really sad that at the end of all this I dont trust the police, I dont trust the scientists at UEA and I dont trust the government. The only person who comes out smelling of roses is the hacker/whistleblower.

That is false on its face. There is evidence to suggest that. They should have added some qualifiers to that, like no evidence on the computers, etc.

"The offenders used methods common in unlawful internet activity to obstruct enquiries."I'd like to have some confirmation from them that this is beyond that FOIA used proxies to distribute the files. Did they find evidence of a hack as far as the theft of files?

I call BS on this one. The selection of emails and files is to refined and focused to be done remotely from outside. The data was clearly collected for FOIA responses by CRU.

How the data was copied is probably unknown, and who posted it in Russia is impossible to track.

But the data is to large and well filtered to be a random data grab. Whoever copied the data, copied the FOIA data CRU had collected, and knew it was just the FOIA data CRU was trying to hold back (for obvious reasons).

??? The use of the words "hack" and "unauthorized access" isn't - to my knowledge - fully justified, is it?

Please, can someone explain to me the justifiability of these unambiguous assignments, or can someone, who has good English, ask Norfolk Constabulary for an explanation why they don't write something of the kind like "probable hack"?

There is obviously no sufficient, hard evidence to suggest/claim certainty. If - and the possibility still seems to exist! - that digital material was freely available at a time it was no "hack" and nobody needed an authorization to access the material.

One would hope that UEA has learned its lesson. Clearly centralised e-mail and data storage makes too easy a target for sophisticated and well-orchestrated gangs; they should consider using a more distributed approach!May I suggest gmail and thumb-drive storage so that individual employees can look after the data themselves?

It would be interesting to get an FOIA request for the the total cost of the investigation. I'm sure they won't be releasing details of the investigation itself, and I'm actually not sure I think that is a bad thing when considered in the broader context of police investigations generally, but the cost would be an indication of how much real investigation was done.bob

The scientist most criticised in the wake of the e-mail release, CRU research director Prof Phil Jones, said he hoped the announcement "will draw a line under the stressful events of the last two and half years".

This statement seems to take the idea of a whitewash to a totally new level. - Despite the best efforts of the UK's supposedly elite police cybercrime/terrorism units for nearly three years, they are incapable of saying who did it, or how it was done, but they can categorically rule out any involvement of the UEA or any of its employees. The smell of bullshit is becoming overpowering.

Leaving aside what they might know but aren't saying, the statement is ridiculous on its face. They want to say it was some kind of "international" hack and not an insider. Well done FOIA, whoever you may be.

Yet anyone able to do what "FOIA" could do in terms of how the emails were put out there could easily mimic a "hack" from outside in order to avoid leaving tracks from inside.

If they really have "no evidence" of who or what FOIA is then they should just say that. What they cannot reasonably assert is that it's not an insider. I know, they merely said "no evidence" it was an insider.

What they are really saying is that FOIA could be anyone in the world with the requisite skills, inside or outside of UEA.

p.s. It is simply shocking (though not surprising) how placid the journalists and pols are about the use of all these "counter-terrorism" resources for this kind of investigation.

Can one imagine this happening, or all the pols and journalists being so complacent about it, if the same assets were being devoted to, say, an alleged hack-and-release of documents of the GWPF ??? No, it seems apparent that the UEA/CRU climate scientists and their govt patrons have a special status on what merits the protections of counter-terrorism investigators and the "National Domestic Extremism Team" for their computer files.

There is a huge set of issues of (1) "mission creep" as a civil liberties problem where you establish counter-terrorism entities with extraordinary powers and resources which then get applied to other kinds of cases, especially ones with political aspects, and (2) squandering the time and resources supposedly devoted to counter-terrorism (distinct from civil liberties, the issue of why counter-terrorism resources supposed to be protecting the public from bombs on planes and trains etc. are devoted to other, lesser kinds of issues).

One is only likely to think this kind of mis-application of counter-terrorism assets is appropriate if one has a "politicized" view of the matter which elevates the release of Climategate emails to some kind of immense "national security" matter rather than a tussle about academic integrity and whistle-blowing.

So it is inherently a disturbing and "politicized" investigation to utilize counter-terrorism assets in this way, imho.d

Erm - how come the police can have the inside trouser leg measurement of kiddie-fiddlers in a matter of moments from a whole invisible "shadow" web, now they are saying they can't find out who obtained files from CRU ?

Thanks for just reporting the facts, Andrew. However, you left out a couple:

-- Climategate 1.0 and – particularly 2.0 – proved nothing other than the mendacity of those who want to discredit climate science and scientists (i.e. the security breach [singular] was not the act of an internal whistleblower). -- Apart from some understandable frustration with FOI requests and poor housekeeping by scientists, the actual science they had done has been repeatedly vindicated (both by inquiries into the emails and ongoing events in the real world).http://lackofenvironment.wordpress.com/2012/02/27/climategate-2-0-the-final-nail-in-the-coffin-of-climate-change-denial/

False on its face. 1. Not "data files", but the email server. Totally different thing. And not an attack; nothing was disturbed, garbled, or deleted. (Not that CRU has any data files, anyway. Philbert lost 'em all in his terminally messy office. And mind.)2. FOIA carefully purged the email addresses of both senders and receivers throughout. A dastardly criminul international hacker did that? Pull my finger ...3. FOIA explains his purpose, to force some ethics and transparency where little or none exists. And warns of far larger releases (via password for existing widely disseminated files) if things don't shape up. This is an insider's motivation, not an external hacker's.

"-- Climategate 1.0 and – particularly 2.0 – proved nothing other than the mendacity of those who want to discredit climate science and scientists [...]-- Apart from some understandable frustration with FOI requests and poor housekeeping by scientists, the actual science they had done has been repeatedly vindicated..."

Oh god. Really? Why would you even bother? Is your mum going to read this, and be impressed by your input? I'm struggling to think of another reason why you would bother to come here and type those words. A drunken bet, maybe.

P.S. Mendacity. Boy, has that word gained a new lease of life. I know it's all the flavour here in climate-comment land, but really. Can we not go back to using words like "lying"? Lots of people on either (and every) side like to sound fancy with their words. It's not impressive. It's "obfuscating". Which is another irritating word in the same category. People who try to impress by using obscure words... not impressive.

I'd suggest that one should be careful not to jump to conclusions just because the release does not agree with one's own idea of what took place. Reading many of the comments here, it is pretty easy to find fodder for the argument people here are nutter conspiracy theorists. Exactly why would the police want to participate in a particular story line? It is not hard to believe they checked out the UEA servers and individuals at the organisation and determined that it did not originate internally. While that does not completely eliminate the possibility of an employee accessing from outside under a different entity, such an action can accurately be described as hacking.

MikeC I think raises the best point. Were I British taxpayer, my issue would be why something like this rates investigation when there is obviously other, more serious, cyber crime to be concerned about.

According to the logic of this PR stunt, the following statement is also true.

We have investigated the delivery of presents on 25th December. As a result of our enquiries we can say, with certainty, that the presents were delivered as part of a global conspiracy. The individual responsible is a white-bearded gentleman dressed in a red suit. We have amassed incontrovertible evidence which proves this. The evidence, however, is not enough to convict the gentleman in a court of law, or available for the general public to examine.

This clearly lays the matter to rest. Any reasonable person should now be sure that Father Christmas exists

Since nobody actually wanted to catch the leaker anyway, the cover statement is largely irrelevant, though to my mind I consider it to be misleading. Unfortunately for UEA et al, there is still the password-protected archive, delivered into the public domain by CG2.

I had a look at Martin Lack's blog and thought his description of his MA dissertation was something that many here might find illuminating.

I think further comments from me would be superfluous.

More about my chosen MA dissertation topic:“A Discourse Analysis of Climate Change Scepticism in the UK“Abstract: Discourse analysis is understood in the sense proposed by John Dryzek (2005) that it involves the textual assessment of (a) basic entities recognised or constructed; (b) assumptions about natural relationships; (c) agents and their motives; and (d) key metaphors and rhetorical devices used. As a piece of social science research, no attempt is made to prove or disprove the validity of the scientific consensus view that climate change is happening and that human activity is its primary cause. However, this reality has been assumed solely in order to analyse the views of climate change sceptics that dispute it. To this end, the philosophical roots of scepticism; its possible misappropriation for ideological reasons; and the psychological causes of denial are reviewed. In this context, based on the finding of numerous researchers that conservative think-tanks (CTTs) often act as the primary driving force of campaigns to deny environmental problems, the output of such UK-based CTTs is analysed, along with that of scientists, economists, journalists, politicians and others. Whereas the majority of CTTs analysed dispute the existence of a legitimate consensus, and the majority of sceptical journalists focus on conspiracy theories, the majority of scientists and economists equate environmentalism with a new religion; whereas politicians and others analysed appear equally likely to cite denialist and/or economic arguments for inaction. However, because of the economic and political realities of the world in which we live, politicians will not take any action that will be unpopular with business interests and/or the wider electorate. If so, Peter Jacques (2009) would appear to be right to conclude that anti-environmentalism (i.e. environmental scepticism) needs to be exposed as being “in violation of the public interest”.

“I would love to see your thesis when it is complete, sounds very interesting…” (Peter Jacques, August 2011).

Martin Lack has recently started spamming the climate skeptic sites with inflammatory rhetoric on the hopes of increasing traffic at his Joe-Romm-style blog (his long-winded and bilious posts get very few comments). He has demonstrated zero interest in the actual science or in reasoned debate. The best thing to do is to ignore him.